
    <!DOCTYPE HTML>
    <html lang="en" data-template="post-page">
    <head>
        
    <meta charset="UTF-8"/>
    <title>GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites | FortiGuard Labs</title>
    <meta name="keywords" content="brute force attack,wordpress,FortiGuards Labs,FortiGuard Labs Threat Research,botnet"/>
    <meta name="description" content="FortiGuard Labs encountered an unreported CMS scanner and brute forcer written in the Go programming language. Read our analysis of the malware and how this active botnet scans and compromises websites."/>
    <meta name="template" content="post-page"/>
    

    <meta name="viewport" content="width=device-width, initial-scale=1"/>


<meta name="google-site-verification" content="tiQ03tSujT2TSsWJ6tNHiiUn8cwYVmdMQrGUCNrPQmo"/>

<meta property="og:site_name" content="Fortinet Blog"/>
<meta property="og:title" content="GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites | FortiGuard Labs"/>
<meta property="og:url" content="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites"/>
<meta property="og:type" content="article"/>
<meta property="og:description" content="FortiGuard Labs encountered an unreported CMS scanner and brute forcer written in the Go programming language. Read our analysis of the malware and how this active botnet scans and compromises webs…"/>
<meta property="og:image" content="https://www.fortinet.com/content/dam/fortinet-blog/article-images/DEC10-HERO.jpg"/>

<meta property="twitter:card" content="summary"/>
<meta property="twitter:site" content="@Fortinet"/>

<meta property="article:author" content="Eduardo Altares, Joie Salvio and Roy Tay "/>

    <meta property="article:section" content="FortiGuard Labs Threat Research"/>


    <meta property="article:published_time" content="2022-12-12T06:49:00.000-08:00"/>


    <meta property="article:tag" content="brute force attack"/>

    <meta property="article:tag" content="wordpress"/>

    <meta property="article:tag" content="FortiGuards Labs"/>

    <meta property="article:tag" content="botnet"/>


<link rel="shortcut icon" href="/etc/designs/fortinet-blog/favicon.ico"/>
<link rel="canonical" href="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites"/>






    
<link rel="stylesheet" href="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.css" type="text/css">






<!-- SEO Script -->




<!-- OneTrust Cookies Consent Notice start for fortinet.com -->



    <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="f85f39fc-d7aa-467a-b762-fbb722748016"></script>
    <script type="text/javascript">

function OptanonWrapper() {
    {
       try{
            $('#cookiescript_injected').remove(); // remove old cookie script
        }catch(e){}
        window.dataLayer.push({
            event: 'OneTrustGroupsUpdated'
        });
        Optanon.InsertScript('//assets.adobedtm.com/launch-EN23cb8375449840dc93b13f34d935b8b9.min.js','head',null, null, '1',true);
    }
}

</script>


<!-- OneTrust Cookies Consent Notice end for fortinet.com -->
    
    
    

    
    

    
    
    
    

    

    

    

    

    


        
            
            
                
                <!-- BE IXF: BE IXF: Place getHeadOpen just inside of the head tag -->
                
                
<!-- be_ixf, sdk, gho-->
<meta name="be:sdk" content="java_sdk_1.6.7" />
<meta name="be:timer" content="31ms" />
<meta name="be:norm_url" content="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites" />
<meta name="be:capsule_url" content="https://ixfd-api.bc0a.com/api/ixf/1.0.0/get_capsule/f00000000216283/1538177956" />
<meta name="be:api_dt" content="pny_2023; pnm_03; pnd_14; pnh_01; pnmh_24; pn_epoch:1678782261350" />
<meta name="be:mod_dt" content="pny_1969; pnm_12; pnd_31; pnh_16; pnmh_00; pn_epoch:0" />
<meta name="be:orig_url" content="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites" />
<meta name="be:messages" content="163849" /><style>
.be-ix-link-block{clear:both}
.be-ix-link-block .be-related-link-container{padding-bottom:20px}
.be-ix-link-block .be-related-link-container .be-label,.be-ix-link-block .be-related-link-container .be-list{font-size:.7619rem;font-family:"HelveticaNeueW01-75Bold",Helvetica,Arial,sans-serif}
.be-ix-link-block .be-related-link-container .be-label{margin:0;color:#5a646c}
.be-ix-link-block .be-related-link-container .be-list{list-style:none;margin:0;padding:0}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{margin:0;padding:0;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif;font-size:.7619rem}
.be-ix-link-block .be-related-link-container .be-list .be-list-item a{color:#5a646c;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif}
@media (max-width: 767px) {
.be-ix-link-block .be-related-link-container{padding:0 10px}
.be-ix-link-block .be-related-link-container .be-label{width:100%}
.be-ix-link-block .be-related-link-container .be-list{display:block;width:100%}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:block}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-bottom:0}
}
@media (min-width: 768px) {
.be-ix-link-block .be-related-link-container{display:flex}
.be-ix-link-block .be-related-link-container .be-label{display:inline-block;margin-right:20px;flex-basis:130px;flex-grow:0;flex-shrink:0}
.be-ix-link-block .be-related-link-container .be-list{display:inline-block;width:auto}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:inline-block;margin-right:20px}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-right:0}
}
</style>


<script data-cfasync="false" id="marvel" data-customerid="f00000000216283" src="https://marvel-b2-cdn.bc0a.com/marvel.js"></script>

            
        

    </head>
    <body>
    



    
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="b1-header aem-GridColumn aem-GridColumn--default--12">


<header class="b1-header__container">
    <div class="b1-header__logo">
        <a href="https://www.fortinet.com">
            
            <img class="desktop-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
            <img class="mobile-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
        </a>
    </div>

    <div class="b1-header__cta-list">
      <a class="b1-header__cta-list-item " href="https://www.fortinet.com/blog">
          <span>Blog</span>
      </a>
    </div>

    <div class="b1-header__nav"><div class="b2-navigation">




    <ul class="b2-navigation__list">
        
            <li class="b2-navigation-categories"><div class="b2-navigation__list-item nav-dropdown-title">Categories</div>
                <ul class="navdropdown">
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/business-and-technology">
                                <span>Business &amp; Technology </span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/threat-research">
                                <span>FortiGuard Labs Threat Research</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/industry-trends">
                                <span>Industry Trends</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/partners">
                                <span>Partners</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/customer-stories">
                                <span>Customer Stories</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/psirt-blogs">
                                <span>PSIRT Blogs</span>
                            </a>
                        </li>
                    
                </ul>
            </li>

        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/business-and-technology">
                    <span>Business &amp; Technology </span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/threat-research">
                    <span>FortiGuard Labs Threat Research</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/industry-trends">
                    <span>Industry Trends</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/partners">
                    <span>Partners</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/customer-stories">
                    <span>Customer Stories</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/psirt-blogs">
                    <span>PSIRT Blogs</span>
                </a>
            </li>
        
        
        
            <li>
                <a class="b2-navigation__list-item false" href="/blog/ciso-collective">
                    <span>CISO Collective</span>
                </a>
            </li>
        
    </ul>


    

</div>
</div>

    <div id="blog-site-search" class="b1-header__search" aria-expanded="false"><div class="b3-searchbox">


<form class="b3-searchbox__form" action="/blog/search" method="get">
    <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs"/>
    <button class="b3-searchbox__icon" aria-label="Search" type="submit">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z" fill="#fff">
        </path>
    </svg>

    </button>
</form>


    

</div>
</div>

    <button class="b1-header__search-toggle" aria-controls="blog-site-search" aria-label="Search">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z">
        </path>
    </svg>

        <div class="b1-header__search-toggle-close">
            <span class="b1-header__search-toggle-close-line"></span>
            <span class="b1-header__search-toggle-close-line"></span>
        </div>
    </button>

    <div class="b1-header__nav-toggle" aria-hidden="true">
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
    </div>
</header>

    

</div>
<section class="b4-hero aem-GridColumn aem-GridColumn--default--12">



<div class="b4-hero__container" style="background-image:url(/content/dam/fortinet-blog/article-images/DEC10-HERO.jpg);">
    <img class="ratio" alt="GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites | FortiGuard Labs" aria-hidden="true" src=""/>
    <div class="b4-hero__text text-container">
        <p data-ly-test class="b4-hero__kicker">FortiGuard Labs Threat Research</p>
        
        
        <h1 class="b4-hero__headline">GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites</h1>
        
    </div>
</div>
</section>
<section class="b15-blog-meta aem-GridColumn aem-GridColumn--default--12">

<div class="b15-blog-meta__container text-container">
    <span>By </span>

    <span class="b15-blog-meta__author">

        
					

                        

                                  
                                      
                                            
                                          
                                           
                                                 <a href="/blog/search?author=Eduardo+Altares">Eduardo Altares,</a>
                                          
                                      
                                  
                          

                                  
                                      
                                            
                                          
                                              <a href="/blog/search?author=+Joie+Salvio"> Joie Salvio</a> and
                                          
                                           
                                      
                                  
                          

                                  
                                      
                                            
                                              <a href="/blog/search?author=Roy+Tay+">Roy Tay </a>
                                          
                                          
                                           
                                      
                                  
                          
                    
        
    </span>
    <span class="b15-blog-meta__">
        

              </span>



    <span class="b15-blog-meta__date"> | December 12, 2022</span>
</div>
</section>
<div class="responsivegrid aem-GridColumn aem-GridColumn--default--12">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"></div>
</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><a href="https://www.fortinet.com/fortiguard/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs" target="_blank">FortiGuard Labs</a> recently encountered a previously unreported Content Management System (CMS) scanner and brute forcer written in the Go programming language (also commonly referred to as Golang). We took a closer look at this malware because it was being described in several online forums as being installed in compromised WordPress sites, but there were no publicly available analysis reports.</p>
<ul>
<li><b>Affected Platforms:</b> Linux</li>
<li><b>Impacted Users:</b> Any organization</li>
<li><b>Impact:</b> Remote attackers gain control of the vulnerable systems</li>
<li><b>Severity Level:</b> Critical</li>
</ul>
<p>Golang brute forcers are not new. For example, we previously reported on the <a href="https://www.fortinet.com/blog/threat-research/unveiling-stealthworker-campaign">StealthWorker</a> campaign in 2019. This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses “<b>:::trim:::” </b>to split data communicated to and from the C2 server.</p>
<p>Similar to StealthWorker, GoTrim also utilizes a <a title="bot network" href="https://www.fortinet.com/resources/cyberglossary/bot?utm_source=blog&amp;utm_medium=blog&amp;utm_campaign=bot-cyberglossary">bot network</a> to perform distributed brute force attacks. The earliest sample we found was from Sep 2022. That campaign is still ongoing at the time of writing.   </p>
<p>This article details how this active botnet scans and compromises websites using WordPress and OpenCart. We also highlight some differences between samples collected from Sep to Nov 2022 at the end of the article.</p>
<h2>Attack Chain</h2>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image.img.png/1670684543601/picture1.png" alt="Screenshot of Figure 1: GoTrim attack chain"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 1: GoTrim attack chain</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>GoTrim uses a bot network to perform distributed brute force attacks against its targets. Each bot is given a set of credentials to use to attempt to log into a long list of website targets. After a successful login, a bot client is installed into the newly compromised system. It then awaits further commands from the threat actors, thereby expanding the bot network.</p>
<p>GoTrim only reports credentials to the C2 server after a successful brute force attempt. We did not observe any code in GoTrim for propagating itself or deploying other malware. However, we did find PHP scripts that download and execute GoTrim bot clients. It seems likely that the threat actor is somehow abusing compromised credentials to deploy PHP scripts to infect systems with GoTrim.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image_1547821569.img.png/1670684592119/picture2.png" alt="Screenshot of Figure 2: PHP downloader script"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 2: PHP downloader script</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Typically, each script downloads the GoTrim malware from a hardcoded URL to a file in the same directory as the script itself and executes it. To cover its tracks, both the downloader script and GoTrim brute forcer are deleted from the infected system. It does not maintain persistence in the infected system.</p>
<h2>Static Analysis</h2>
<p>Analysis detailed in this article is based on a sample with SHA-256 hash c33e50c3be111c1401037cb42a0596a123347d5700cee8c42b2bd30cdf6b3be3, unless stated otherwise.</p>
<p>GoTrim is built with Go version 1.18. As with all Go applications, all third-party libraries used in the code are statically linked to the malware, resulting in a relatively bigger file size for the executable binary. But this has the advantage of not depending on any external files to execute correctly. To solve the size issue, the malware is packed using UPX to reduce the file from 6 MB to 1.9 MB.</p>
<p>Another advantage of using Go is that the same source code can be cross-compiled to support different architectures and Operating Systems. Based on the source code paths in the samples, Windows was used during the development of GoTrim. However, we have only observed samples targeting 64-bit Linux in the wild.</p>
<h2>C2 Communication</h2>
<p>GoTrim can communicate with its Command and Control (C2) server in two ways: a client mode, where it sends HTTP POST requests to the Command and Control (C2 server), or a server mode, where it starts an HTTP server to listen for incoming POST requests. All data exchanged with the C2 is encrypted using the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) with a key derived from a passphrase embedded in the malware binary.</p>
<p>By default, GoTrim attempts to run in server mode if the infected malware is directly connected to the Internet—that is, if the victim's outbound or <a title="ip address" href="https://www.fortinet.com/resources/cyberglossary/what-is-ip-address?utm_source=blog&amp;utm_medium=blog&amp;utm_campaign=blog-what-is-ip-address">local IP address</a> is non-private. Otherwise, it switches to client mode.</p>
<p>Upon execution, GoTrim creates an MD5 hash representing a unique identification for the infected machine (bot ID). This is generated from the following string containing several pieces of information delimited by the “:” character:</p>
<p style="margin-left: 40.0px;"><i>VICTIM_EXTERNAL_IP</i>:<i>HTTP_SERVER_PORT</i>:1:<i>OUTBOUND_IP</i>:<i>AES_PASSPHRASE</i></p>
<ul>
<li><b>VICTIM_EXTERNAL_IP</b>: External/public IP of the machine</li>
<li><b>HTTP_SERVER_PORT</b>: HTTP server port. This is a randomly generated number between 4000 to 8000 for the HTTP server in server mode. It is always 0 for client mode.</li>
<li><b>Malware initialization flag</b>: Always set to 1 by the time the bot ID is being calculated</li>
<li><b>OUTBOUND_IP</b>: Outbound/local IP address of the victim machine.</li>
<li><b>AES_PASSPHRASE</b>: Hardcoded string embedded into each sample. This malware later uses the SHA256 hash of this string as the AES-GCM key for encrypting its communication with the C2 server. The same AES passphrase is shared among all samples we observed.</li>
</ul>
<p>After generating the bot ID, GoTrim creates an asynchronous Go routine (similar to multithreading) that sends a beacon request to the C2 server on both client and server modes.</p>
<p>The C2 request URLs change between versions, as discussed in a later section of this article. For this particular sample, the beacon request URL is “/selects?dram=1”.</p>
<p>In this beacon request, several pieces of victim and bot information are sent to the C2 server, as seen in Figure 3.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image_142625587.img.png/1670684765602/picture3.png" alt="Screenshot of Figure 3: Screenshot of data sent to the C2 server"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 3: Screenshot of data sent to the C2 server</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Some of the interesting fields sent in the beacon request include the following:</p>
<p style="margin-left: 40.0px;">1. <b>Bot ID</b>: unique ID for the bot<br />
2. <b>External IP</b>: public IP address of the victim machine<br />
3. <b>HTTP Server Port</b>: randomly generated port for the HTTP server (0 in client mode)<br />
4. <b>Malware Initialization Flag</b>: always set to 1 by the time this request is made<br />
5. <b>Outbound IP</b>: local IP address of the victim machine<br />
6. <b>Status Message</b>: The “GOOD” message is replaced by other strings that report the status of any running CMS detection or brute forcing tasks during subsequent beacon requests.<br />
7. <b>Status Flags</b>: These indicate whether the malware currently has any processing tasks assigned by the C2 server and the IDs of these tasks<br />
8. <b>MD5 Checksum</b>: This value is generated from parts of the above request and the hardcoded AES passphrase. It serves as a message integrity checksum.</p>
<p>The fields are joined together with the <b><i>:::trim:::</i></b><i> </i>string, hence the name chosen for this campaign. The data is then encrypted using an AES-256-GCM key, the SHA-256 hash of the previously mentioned passphrase.</p>
<p>The server usually responds with “OK”, “404 page not found”, or “BC”, all encrypted with the same AES-GCM key. When “BC” is received, GoTrim will regenerate its bot ID and switch from server to client mode.</p>
<p>The first beacon request is to register a new bot (victim) to the bot network.</p>
<p>After each beacon request, GoTrim sleeps between a few seconds to several minutes, depending on the C2 server response and whether the malware is currently working on C2-assigned tasks before sending the next request. The malware regularly performs this beacon request to update the C2 server about the bot's status, including successful credentials, as discussed in the brute forcing section of the article. If GoTrim fails to receive a valid response from the C2 server after 100 retries, it will terminate itself.</p>
<p>While the beacon requests are being sent asynchronously to update the C2 server on its status, GoTrim either sends a request to the C2 server to receive commands (client mode) or sets up an HTTP server to listen for incoming tasking requests (server mode).</p>
<h2>Client Mode</h2>
<p>In client mode, the malware sends a POST request to “/selects?bilert=1” to receive commands from the C2 server.</p>
<p>The C2 server responds with the command encrypted with the same AES-GCM key. An example of a decrypted command can be seen below in Figure 4.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image_1093316642.img.png/1670685051142/picture4.png" alt="Screenshot of Figure 4: Screenshot of the response containing the command and its options"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 4: Screenshot of the response containing the command and its options</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>After splitting the data by the “<i>:::trim:::</i>” string, seven fields can be identified, as listed below.</p>
<p>1. <b>MD5 Checksum</b>: used for checking message integrity, e.g., 83217f8b39dccc2f9f2a0157f0236c4f<br />
2. <b>Command ID</b>: This indicates the command for the current task<br />
3. <b>Concurrency Level</b>: This affects how many goroutines are executed for each task<br />
4. <b>Command Options</b>: This contains options for the commands, separated by 7E 6A 71 6D 70 C2 A9 (~jqmp©) bytes. They are interpreted differently depending on the command:</p>
<p style="margin-left: 40.0px;">a. <b>Target List</b>: This is GZIP-compressed data, which, when decompressed, contains a list of domains that will be the target for the login attempts.<br />
b. <b>Command Option 1</b> (redacted): This option contains the username for authentication commands. Instead of using the same username for each domain, the C2 server can specify a series of bytes, like C2 A9 64, to use the domain as the username.<br />
c. <b>Command Option 2</b> (redacted): For authentication commands, this option contains the password<br />
d. <b>Command Option 3</b>: Unknown option for WordPress authentication<br />
e. <b>Command Option 4</b>: Option for WordPress authentication to use either POST request or XML-RPC when submitting credentials.</p>
<p>5. <b>Internal Values</b>: Numeric values that are not used by the malware itself (e.g., <i>42</i> and <i>255</i>) and likely represent internal tasking IDs for the current command.    </p>
<p>The malware supports the following commands:</p>
<ul>
<li><b>1</b>: Validate provided credentials against WordPress domains</li>
<li><b>2</b>: Validate provided credentials against Joomla! domains (currently not implemented)</li>
<li><b>3</b>: Validate provided credentials against OpenCart domains</li>
<li><b>4</b>: Validate provided credentials against Data Life Engine domains (currently not implemented)</li>
<li><b>10</b>: Detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installation on the domain</li>
<li><b>11</b>: Terminate the malware</li>
</ul>
<p>We have observed a target list containing up to 30,000 domains in a single WordPress authentication command. Additionally, we observed that authentication commands only provide a single password to test against all the domains in the list. As mentioned above, brute forcing is likely distributed by commanding a network of infected machines to test different domains and credentials.</p>
<p>After the malware has completed processing a command, it sleeps for a while before sending another POST request to receive a new task from the C2 server.</p>
<h2>Server Mode</h2>
<p>In server mode, GoTrim starts a server on a random port between 4000 to 7999 to respond to incoming POST requests sent by the threat actor. This mode gives the threat actor a more responsive way of communicating with the bot. For instance, the status of the bots can be checked by the threat actor without waiting for the subsequent beacon request by simply sending a POST request to a specific URL handled by the bot’s HTTP server.</p>
<p>To issue a command to the machine, the threat actor sends a POST request to “/<i>BOT_ID</i>?lert=1” with the body containing the AES-256-GCM encrypted command data, similar to the response provided by the C2 server when the client requests commands (Figure 4). Server mode supports the same commands as client mode.</p>
<p>The threat actor can also send a request with the parameter &quot;/<i>BOT_ID</i>?intval=1” to view the status of currently running tasks and whether assigned tasks have been completed.</p>
<p>When CPU utilization is below a certain level (75% or 90%, depending on the number of concurrent workers used for the current task), a separate goroutine is spawned to process each domain.</p>
<h2>Botnet Commands</h2>
<h3>Detect CMS</h3>
<p>GoTrim attempts to identify whether one of the four CMSes (WordPress, Joomla!, OpenCart, or DataLife Engine) is being used on the target website. It does this by checking for specific strings in the webpage content.</p>
<p>Interestingly, it only targets self-hosted WordPress websites by checking the Referer HTTP header for “wordpress.com”. As managed WordPress hosting providers, such as wordpress.com, usually implement more security measures to monitor, detect, and block brute forcing attempts than self-hosted WordPress websites, the chance of success is not worth the risk of getting discovered.</p>
<p>The strings used for determining the installed CMS are listed below.</p>
<p>WordPress</p>
<ul>
<li>“wp-content/plugins/” and “wp-content/themes/”</li>
<li>“wp-content/uploads/”</li>
<li>“wp-includes/js/”</li>
<li>“/xmlrpc.php”</li>
</ul>
<p>Joomla!</p>
<ul>
<li>“generator&quot; content=\&quot;Joomla!” AND “/templates/”</li>
<li>“/media/system/js/mootools.js” AND “/media/system/js/caption.js”</li>
<li>“index.php?option=com_”</li>
<li>“/modules/mod_”</li>
<li>“/components/com_”</li>
</ul>
<p>OpenCart</p>
<ul>
<li>“/index.php?route=common” and “/index.php?route=information”</li>
<li>“image/cache/catalog”</li>
<li>“catalog/view/theme/”</li>
<li>“catalog/view/javascript”</li>
</ul>
<p>DataLife Engine</p>
<ul>
<li>“DataLife Engine” and “~engine/classes/js/dle_js.js”</li>
<li>“index.php?do=search&amp;amp;”</li>
<li>“var dle_”</li>
</ul>
<p>While GoTrim can detect websites using the four CMSes above, it currently only supports authenticating against WordPress and OpenCart websites. This indicates that this botnet is still under development.</p>
<h2>Validate WordPress Credentials</h2>
<p>Aside from the username provided by the C2 server, it attempts to gather more usernames by sending a GET request to “/wp-json/wp/v2/users”.</p>
<p>After that, it tries to log in to the WordPress website using the list of usernames and the password provided in the C2 command by sending a POST request to “/wp-login.php”. Figure 5 shows an example of the POST request for logging in.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image_1833611386.img.png/1670685901756/picture5.png" alt="Screenshot of Figure 5: WordPress authentication request"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 5: WordPress authentication request</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>This request causes a redirect to the admin page of the WordPress website (i.e.,/wp-admin) after a successful login. To confirm that the login and redirection were successful, it checks to see if the response contains “id=\&quot;adminmenumain\”.</p>
<p>The C2 server can also specify the authentication to be performed via the WordPress XML-RPC feature, which is another way for users to programmatically interact with the CMS remotely using XML. By communicating directly with the web server’s backend, anti-bot mechanisms such as captchas that usually work when accessing the website pages could be bypassed.</p>
<p>After a successful login, the following information (delimited by “|”) is updated into a global status message and sent with the following request to the C2 (client mode) or in the response to incoming requests (server mode):</p>
<ul>
<li>Target URL</li>
<li>Username</li>
<li>Password</li>
<li>Command ID (1 for WordPress, 3 for OpenCart, etc.)</li>
<li>Brute force status (“0GOOD” for success)</li>
</ul>
<h2>Validate OpenCart Credentials</h2>
<p>GoTrim can also brute force websites running the open-source e-commerce platform OpenCart<b>.</b></p>
<p>It sends a GET request to the target’s “/admin/index.php” and collects the authentication-related tokens and headers needed for the login request. It then performs the actual authentication by sending a POST request to the same URL with form-encoded data containing the username and the password.</p>
<p>To verify that the login request was successful, it checks if the website returned an OpenCart user token by searching for “/dashboard&amp;user_token=” and making sure the “redirect” value from the received data is not empty.</p>
<p>A valid authentication response should look like the following:</p>
<p style="margin-left: 40.0px;"><i>{&quot;redirect&quot;:&quot;https://example.com/opencart/admin/index.php?route=common/dashboard&amp;user_token=USER_TOKEN_HASH&quot;}</i></p>
<p>Upon successful login, the global status message is updated for WordPress brute-forcing.</p>
<h2>Anti-bot Checks</h2>
<p>GoTrim can detect anti-bot techniques used by web hosting providers and CDNs, such as Cloudflare and SiteGround, and evade some of their simpler checks.</p>
<p>It tries to mimic legitimate requests from Mozilla Firefox on 64bit Windows by using the same HTTP headers sent by the browser and supporting the same content encoding algorithms: gzip, deflate, and Brotli.</p>
<p>For WordPress websites, it also detects whether CAPTCHA plugins are installed.</p>
<ul>
<li>Google reCAPTCHA</li>
<li>reCAPTCHA by BestWebSoft</li>
<li>WP Limit Login Attempts</li>
<li>Shield Security Captcha</li>
<li>All in One Security (AIOS) Captcha</li>
<li>JetPack Captcha</li>
<li>Captcha by BestWebSoft</li>
</ul>
<p>The malware contains code to solve the CAPTCHA for some of these plugins. However, we need to verify if the bypass techniques work. We determined that it cannot bypass Google, WP Limit Login Attempts, and Shield Security’s CAPTCHAs.</p>
<p>In general, for the security plugins it cannot bypass, it only reports them to the C2 server by updating the global status message with information similar to the data it sends during a successful login. But it uses “3GOOD” for the brute force status to indicate that credential validation was skipped.</p>
<p>On encountering websites that contain the string “1gb.ru” within the page content, GoTrim also sends the same “3GOOD” brute force status. This appears to be a conscious decision to avoid targeting websites hosted by this provider, but the intent remains unclear.</p>
<h2>Campaign Updates</h2>
<p>While searching for other samples related to this campaign, we found a PHP script and binary from September 2022 with different URLs “/selects?param=1” and “/selects?walert=1” on C2 server 89[.]208[.]107[.]12 (Figure 6). The PHP script we detect as PHP/GoTrim!tr.dldr uses the same installation method, with only the download URL varying across the samples we gathered.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image_1747180550.img.png/1670686032882/picture6.png" alt="Screenshot of Figure 6: Code snippet from Sep 2022 version with different C2 servers"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 6: Code snippet from Sep 2022 version with different C2 servers</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>A version of the binary that appeared in November 2022 also updated its HTTP POST URLs (Figure 7). The beacon request URL “/selects?dram=1” and the command request URL “/selects?bilert=1” have been changed to “/route?index=1” and “/route?alert=1”, respectively. The encryption algorithm and keys used in the data transmission remain the same.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites/_jcr_content/root/responsivegrid/image_436184173.img.png/1670686068175/picture7.png" alt="Screenshot of Figure 7: Wireshark capture of POST requests from two versions of GoTrim"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 7: Wireshark capture of POST requests from two versions of GoTrim</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h2>Conclusion</h2>
<p>Although this malware is still a work in progress, the fact that it has a fully functional WordPress brute forcer combined with its anti-bot evasion techniques makes it a threat to watch for—especially with the immense popularity of the WordPress CMS, which powers millions of websites globally.</p>
<p>Brute-forcing campaigns are dangerous as they may lead to server compromise and malware deployment. To mitigate this risk, website administrators should ensure that user accounts (especially administrator accounts) use strong passwords. Keeping the CMS software and associated plugins up to date also reduces the risk of malware infection by exploiting unpatched vulnerabilities.</p>
<p>FortiGuard Labs will continue to monitor GoTrim’s development.</p>
<h2>Fortinet Protections</h2>
<p>The FortiGuard Antivirus service detects and blocks this threat as <b>ELF/GoTrim!tr</b> and <b>PHP/GoTrim!tr.dldr</b>.</p>
<p>The <a href="https://www.fortiguard.com/updates/antivirus?utm_source=pr&amp;utm_medium=pr&amp;utm_campaign=updates%2Fantivirus">FortiGuard AntiVirus</a> service is supported by <a href="https://www.fortinet.com/products/next-generation-firewall.html?utm_source=blog&amp;utm_campaign=fortigate">FortiGate</a>, <a href="https://www.fortinet.com/products/email-security/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page">FortiMail</a>, <a href="https://www.fortinet.com/products/endpoint-security/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page">FortiClient</a>, and <a href="https://www.fortinet.com/products/endpoint-security/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr">FortiEDR</a>, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.</p>
<p>FortiGuard Labs provides the <a href="https://www.fortiguard.com/encyclopedia/ips/52318">GoTrim.Botnet</a> IPS signature against GoTrim C2 activity.</p>
<p>The <a href="https://www.fortinet.com/support-and-training/support-services/fortiguard-security-subscriptions/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering">FortiGuard Web Filtering</a> Service blocks the C2 servers and download URLs cited in this report.</p>
<p><a href="https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/ipreputation-antibot">FortiGuard IP Reputation and Anti-Botnet Security Service</a> proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.</p>
<h2>IOCs</h2>
<p><b>Files</b></p>
<p>646ea89512e15fce61079d8f82302df5742e8e6e6c672a3726496281ad9bfd8a</p>
<p>4b6d8590a2db42eda26d017a119287698c5b0ed91dd54222893f7164e40cb508</p>
<p>c33e50c3be111c1401037cb42a0596a123347d5700cee8c42b2bd30cdf6b3be3</p>
<p>71453640ebf7cf8c640429a605ffbf56dfc91124c4a35c2ca6e5ac0223f77532</p>
<p>3188cbe5b60ed7c22c0ace143681b1c18f0e06658a314bdc4c7c4b8f77394729</p>
<p>80fba2dcc7ea2e8ded32e8f6c145cf011ceb821e57fee383c02d4c5eaf8bbe00</p>
<p>De85f1916d6102fcbaceb9cef988fca211a9ea74599bf5c97a92039ccf2da5f7</p>
<p>2a0397adb55436efa86d8569f78af0934b61f5b430fa00b49aa20a4994b73f4b</p>
<p><b>Download URLs</b></p>
<p>hxxp://77[.]73[.]133[.]99/taka</p>
<p>hxxp://77[.]73[.]133[.]99/trester</p>
<p>hxxp://77[.]73[.]133[.]99/pause</p>
<p><b>C2</b></p>
<p><a></a>hxxp://77[.]73[.]133[.]99</p>
<p>hxxp://77[.]73[.]133[.]99/selects?dram=1</p>
<p>hxxp://77[.]73[.]133[.]99/selects?bilert=1</p>
<p>hxxp://77[.]73[.]133[.]99/route?index=1</p>
<p>hxxp://77[.]73[.]133[.]99/route?alert=1</p>
<p>hxxp://89[.]208[.]107[.]12</p>
<p>hxxp://89[.]208[.]107[.]12/selects?param=1</p>
<p>hxxp://89[.]208[.]107[.]12/selects?walert=1</p>


</div>
<div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"><div id="om-b2dxtopzidsdt3fkzfsv-holder"></div></div>
</div>

    
</div>
</div>
<div class="b16-blog-tags aem-GridColumn aem-GridColumn--default--12">



  <div class="b16-blog-tags__container text-container" style="display:none">
    <span class="b16-blog-tags__headline">Tags:</span>
    <p class="b16-blog-tags__tag-links">
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=brute-force-attack">brute force attack</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=wordpress">wordpress</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=fortiguards-labs">FortiGuards Labs</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=botnet">botnet</a>
    </p>
  </div>

</div>
<section class="b12-related aem-GridColumn aem-GridColumn--default--12">




<div class="b12-related__container text-container">
    

    
    
    <h3>Related Posts</h3>
    <div class="b12-related__posts">
        
        <a href="/blog/threat-research/supply-chain-attack-new-malicious-python-package-shaderz" class="b12-related__post b12-related__post-0">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/shaderz-threat-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 1)" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 1)</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities" class="b12-related__post b12-related__post-1">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/zerobot-thumb.jpg.thumb.319.319.png);">
                <img class="ratio" alt="Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities " aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities </h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants" class="b12-related__post b12-related__post-2">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/DEC8-THUMB.jpg.thumb.319.319.png);">
                <img class="ratio" alt="Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants " aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants </h5>
            </div>
        </a>
    
    </div>
</div>


</section>
<div class="b13-comment-section aem-GridColumn aem-GridColumn--default--12">


<div class="b13-comment-section__container text-container">


  <!--data-sly-test="true - got replaced with false to disable the discussion event-->
  
</div>
</div>
<div class="b6-footer aem-GridColumn aem-GridColumn--default--12">


  

  <div class="b6-footer__container text-container">
    <div class="b6-footer__footer-info">
      <div class="b6-footer__logo">
        <a href="https://www.fortinet.com" target="_blank">
          <img src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet"/>
        </a>
      </div>
      <div class="b6-footer__social-footer">
        <ul>
          
            <li class="social-icon facebook">
              <a href="https://www.facebook.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 9 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M8.934.758v3.385H7.24c-.583 0-.845.685-.845 1.27v2.114h2.54v3.385h-2.54v6.77H3.01v-6.77H.472V7.527H3.01V4.143c0-1.87 1.516-3.385 3.385-3.385h2.54z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon twitter">
              <a href="https://www.twitter.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 19 15" xmlns="http://www.w3.org/2000/svg">
        <path d="M18.17 2.296c-.652.296-1.354.49-2.082.584.745-.448 1.32-1.16 1.59-2.014-.702.423-1.48.72-2.3.89-.67-.73-1.61-1.152-2.675-1.152-1.988 0-3.613 1.625-3.613 3.63 0 .288.034.567.093.83-3.012-.153-5.694-1.6-7.48-3.792-.313.534-.49 1.16-.49 1.82 0 1.26.634 2.377 1.616 3.012-.61 0-1.16-.17-1.65-.423v.03c0 1.76 1.25 3.237 2.91 3.567-.31.084-.63.127-.96.127-.23 0-.46-.026-.68-.07.455 1.43 1.784 2.497 3.383 2.52-1.235.984-2.8 1.56-4.51 1.56-.288 0-.575-.018-.863-.05 1.61 1.03 3.52 1.632 5.57 1.632 6.667 0 10.33-5.534 10.33-10.332 0-.16 0-.313-.007-.474.71-.508 1.32-1.15 1.81-1.888z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon youtube">
              <a href="https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA?sub_confirmation=1" target="_blank">
                
    <svg viewBox="0 0 18 14" xmlns="http://www.w3.org/2000/svg">
        <path d="M7.472 11.027V3.412L12.55 7.22l-5.08 3.806zM15.934.787C15.426.62 12.294.45 9.164.45c-3.13 0-6.26.16-6.77.322-1.32.44-1.69 3.4-1.69 6.447 0 3.03.37 6 1.69 6.43.51.17 3.64.33 6.77.33 3.13 0 6.262-.16 6.77-.33 1.32-.43 1.692-3.4 1.692-6.44 0-3.047-.372-6-1.692-6.43z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon linkedin">
              <a href="https://www.linkedin.com/company/fortinet" target="_blank">
                
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.934 15.835H12.55v-5.712c0-.897-1.008-1.64-1.905-1.64s-1.48.743-1.48 1.64v5.712H5.78V5.68h3.385v1.693c.558-.905 1.996-1.49 2.96-1.49 2.116 0 3.81 1.727 3.81 3.817v6.135zm-11.846 0H.703V5.68h3.385v10.155zM2.395.605c.935 0 1.693.757 1.693 1.69 0 .936-.758 1.694-1.693 1.694S.703 3.23.703 2.29C.703 1.36 1.46.6 2.395.6z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon instagram">
              <a href="https://www.instagram.com/behindthefirewall/" target="_blank">
                
    <svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
        <path class="st0" d="M16,3.7c4,0,4.5,0,6.1,0.1c1.5,0.1,2.3,0.3,2.8,0.5c0.7,0.3,1.2,0.6,1.7,1.1c0.5,0.5,0.8,1,1.1,1.7
          c0.2,0.5,0.4,1.3,0.5,2.8c0.1,1.6,0.1,2.1,0.1,6.1s0,4.5-0.1,6.1c-0.1,1.5-0.3,2.3-0.5,2.8c-0.3,0.7-0.6,1.2-1.1,1.7
          c-0.5,0.5-1,0.8-1.7,1.1c-0.5,0.2-1.3,0.4-2.8,0.5c-1.6,0.1-2.1,0.1-6.1,0.1s-4.5,0-6.1-0.1c-1.5-0.1-2.3-0.3-2.8-0.5
          c-0.7-0.3-1.2-0.6-1.7-1.1c-0.5-0.5-0.8-1-1.1-1.7c-0.2-0.5-0.4-1.3-0.5-2.8C3.7,20.5,3.7,20,3.7,16s0-4.5,0.1-6.1
          c0.1-1.5,0.3-2.3,0.5-2.8C4.6,6.5,4.9,6,5.4,5.4c0.5-0.5,1-0.8,1.7-1.1c0.5-0.2,1.3-0.4,2.8-0.5C11.5,3.7,12,3.7,16,3.7 M16,1
          c-4.1,0-4.6,0-6.2,0.1C8.2,1.2,7.1,1.4,6.2,1.8c-1,0.4-1.8,0.9-2.7,1.7C2.7,4.4,2.2,5.2,1.8,6.2c-0.4,1-0.6,2-0.7,3.6
          C1,11.4,1,11.9,1,16c0,4.1,0,4.6,0.1,6.2c0.1,1.6,0.3,2.7,0.7,3.6c0.4,1,0.9,1.8,1.7,2.7c0.8,0.8,1.7,1.3,2.7,1.7
          c1,0.4,2,0.6,3.6,0.7C11.4,31,11.9,31,16,31s4.6,0,6.2-0.1c1.6-0.1,2.7-0.3,3.6-0.7c1-0.4,1.8-0.9,2.7-1.7c0.8-0.8,1.3-1.7,1.7-2.7
          c0.4-1,0.6-2,0.7-3.6C31,20.6,31,20.1,31,16s0-4.6-0.1-6.2c-0.1-1.6-0.3-2.7-0.7-3.6c-0.4-1-0.9-1.8-1.7-2.7
          c-0.8-0.8-1.7-1.3-2.7-1.7c-1-0.4-2-0.6-3.6-0.7C20.6,1,20.1,1,16,1L16,1z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <path class="st0" d="M16,8.3c-4.3,0-7.7,3.4-7.7,7.7s3.4,7.7,7.7,7.7s7.7-3.4,7.7-7.7S20.3,8.3,16,8.3z M16,21c-2.8,0-5-2.2-5-5
          s2.2-5,5-5s5,2.2,5,5S18.8,21,16,21z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <circle class="st0" cx="24" cy="8" r="1.8" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></circle>
    </svg>

              </a>
            </li>
          
            <li class="social-icon rss">
              <a href="https://www.fortinet.com/rss-feeds.html" target="_blank">
                
    <svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M3.072 17.68c-1.27 0-2.37-1.1-2.37-2.368 0-1.27 1.1-2.37 2.37-2.37s2.37 1.1 2.37 2.37-1.016 2.37-2.37 2.37zM.702.76v2.538c7.955 0 14.386 6.43 14.386 14.385h2.538C17.626 8.336 10.05.76.703.76zm0 5.162V8.46c5.078 0 9.224 4.146 9.224 9.223h2.54c0-6.514-5.248-11.76-11.763-11.76z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
        </ul>
      </div>
    </div>
    <div class="b6-footer__footer-links">
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">News &amp; Articles</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html" target="_self">News Releases</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/news.html" target="_blank">News Articles</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Security Research</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html" target="_self">Threat Research</a>
              </li>
            
              <li>
                <a href="https://fortiguard.com/" target="_self">FortiGuard Labs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html" target="_self">Threat Map</a>
              </li>
            
              <li>
                <a href="https://secure.fortinet.com/fortiguard" target="_blank">Threat Briefs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/solutions/ransomware.html" target="_self">Ransomware Prevention</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Connect With Us</h4>
          <ul>
            
              <li>
                <a href="https://community.fortinet.com/" target="_blank">Fortinet Community</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/partners/partner-program/become-a-fortinet-partner" target="_blank">Partner Portal</a>
              </li>
            
              <li>
                <a href="https://investor.fortinet.com/" target="_blank">Investor Relations</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/product-certifications" target="_blank">Product Certifications</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Company</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/about-us" target="_blank">About Us</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/executive-management" target="_self">Exec Mgmt</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/careers" target="_self">Careers</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/nse-training" target="_self">Training</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/events" target="_self">Events</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/industry-awards" target="_self">Industry Awards</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/corporate-social-responsibility" target="_self">Social Responsibility</a>
              </li>
            
              <li>
                <a href="/resources/cyberglossary" target="_self">CyberGlossary</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/sitemap" target="_self">Sitemap</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/blog/blog-sitemap" target="_self">Blog Sitemap</a>
              </li>
            
          </ul>
        </div>
      
      <div class="b6-footer__contact-info">
        <h4 class="b6-footer__header">Contact Us</h4>
        <ul>
          <li>(866) 868-3678</li>
        </ul>
      </div>
    </div>
    <div class="b6-footer__copyright">
      <div class="b6-footer__copyright-info">
        <p class="b6-footer__copyright-text">Copyright © 2023 Fortinet, Inc. All Rights Reserved</p>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Terms of Services</a>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy Policy</a>
        
        <span class="ot-ftnt-cookie-settings"> | <a href="#" onclick="Optanon.ToggleInfoDisplay()">Cookie Settings</a></span>
      </div>
    </div>
  </div>

<!-- Launch COnfiguration -->


<!-- END Launch COnfiguration --></div>

    
</div>
</div>


    
    
    

    
    
<script type="text/javascript" src="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.js"></script>





    



    
        
            <!-- BE IXF: The following <div> block needs to be placed in the location where the link block will be displayed
                        BE IXF: For your website, the location is above/below ...-->
            <div class="brightedge-wrapper">
                <div class="wrap footerwrap">
                    <div class="be-ix-link-block be-ix-link-block-blog">
                        <div class="be-related-link-container"><div class="be-label">Also of Interest</div><ul class="be-list"><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/why-ztna-in-the-cloud-isnt-enough">Why ZTNA in the Cloud Isn&#39;t Enough</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/worlds-number-one-network-firewall-delivers-powerful-networking-solutions">Converging NOC &amp; SOC starts with FortiGate</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/ciso-collective/top-security-threats-for-government">DOJ &amp; Top Security Threats</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/industry-trends/paying-ransomware">Pay Ransomware Settlements?</a></li></ul></div>
<!--
   be_sdkms_pub:link-block; link-block_1.0.0.0; bodystr;
   be_sdkms_date_modified:pn_tstr:Tue Mar 14 01:24:21 PDT 2023; pn_epoch:1678782261350;
   be_sdkms_timer: 0;
-->

                        
                    </div>
                </div></div>
         <!-- Condition close for mode check -->
    
    

    </body>
    </html>
